Once you’ve worked out the minimum skill standard for your development teams using tournaments, courses, and assessments, the next step in a mature secure coding program is creating a certification program.
Certification is about creating a set of levels within your company that are defined by certain skillsets or experience. It’s a way to help set goals for developers and offer them some well-deserved recognition for achieving them.
- Determine your certification levels
- Building skills and going further
- How much certification is required?
Determine Your Certification Levels
The first step in building a certification program would be to decide on a naming convention for your certification levels so you can build your program messaging.
Some ideas to consider:
- Levels
- Ranks
- Belts (think Karate belt colors)
- Stages
- Medals (platinum, gold, silver, bronze)
You can get creative for this, but the important part is that you lay down a repeatable learning path for newly ‘‘baseline certified’ developers to follow.
Determining the baseline is step one. For this article, we'll just go with "Levels". Everyone that passes the baseline is considered ‘Level 1’ or equivalent in your certification program.
A clearly defined certification program encourages developers to keep using the Secure Code Warrior® platform to build their skills with a view to gain further accreditation. (ie: a ‘Level 2’ certification)
Building Skills and Going Further
Moving on from the baseline, the goal should be to help developers seek the next level of certification on their way to helping uplift themselves and their teams. To move from one level to the next, consider creating "Certification Assessments" designed to meet certain criteria.
These "Certification Assessments" should:
- Be more challenging than general and baseline assessments
- Have limited or no retries
- Include challenges that meet your certification criteria (Organization dependent)
Note: For more info about assessments, check out our Assessment Module Overview article.
Here’s the structure of a recommended best-in-class certification program. Take a look at the table for a quick overview, then read on to see each level in more detail.
Level 1 | Level 2 | Level 3 |
Top 2-3 vulnerabilities of the industry or SCW recommendation | Remaining coverage of the industry or SCW recommendation | Full concept coverage beyond the industry or SCW recommendation - includes less common and more esoteric security issues - as well as advanced modules revisiting earlier topics |
This is communicated as the License to Code - minimum requirement to be able to access all code repositories | This is communicated as the Company Baseline |
This is communicated for the Security Champions It is also recommended to also include additional security tasks to meet this level, such as participating in or leading a threat modeling exercise for a new application, and mentoring less security mature developers |
Mandatory completion |
Optional completion but incentivize through career progression, certificates, bonuses, recognition, remove certain required security mandates before pushing code to production Mandatory completion as the organization matures |
Optional completion but incentivize similar to Level 2 |
Certification Level 1
This is the minimum skill baseline requirement for all developers to reach so it’s quite important. The focus should be on identifying and fixing the key security weaknesses affecting your particular organization across your various applications.
Example: If you identify 10 key company-specific weaknesses, the minimum skills can include identifying and remediating 3-5 of those vulnerabilities.
This leads to some very specific learning that benefits developers in their day-to-day roles. To reach this certification level consider the following requirements:
- Having the course be optional and assessment mandatory, allowing users to test out if they already know the material.
- Successfully achieving the pass percentage of 70% on assessments.
The idea behind a 'Level 1' or License-to-Code certification is that it's achievable for all developers, keeping in mind the different security awareness levels and the fact that new or junior devs joining your organization won't have prior knowledge of the specific key weaknesses your teams deal with.
Certification Level 2
By now, developers should be able to address all company or team-specific key weaknesses. Open things up for 'Level 2' or Company Baseline and focus on identifying and remediating the remaining vulnerabilities of the industry or SCW recommendation. This education tends to be much broader, providing more learning and upskilling opportunities for developers.
This certification level is where you might see a few of your Senior Devs as they already offer a degree of mentorship to their peers.
'Level 2' recommended requirements is similar to 'Level 1':
- Having the course be optional and assessment mandatory, allowing users to test out if they already know the material.
- Successfully achieving the pass percentage of 70 % on the Level 2 Assessment
Progression to this level doesn’t have to happen immediately or at all. Each developer will have a different amount of time they can dedicate to training, so it’s important to keep that in mind.
Certification Level 3
To be 'Level 3' certified, which means becoming a Security Champion, developers should show an interest in advancing further. Skill-wise, they should be able to identify and remediate not only the vulnerabilities of the industry or SCW recommendations, but also less common and more esoteric security issues.
These developers will be very interested in finding new ways to examine coding security and share knowledge with those around them. They also act as an extension of the Security teams, helping with various security tasks to ensure that secure code is pushed to production.
To reach this certification level, consider the following requirements:
- Having the course be mandatory, as it covers both less common vulnerabilities and advanced modules on the vulnerabilities from the industry or SCW recommendations.
- Having the assessment also be mandatory.
- Successfully achieving the pass percentage of 70% on the Level 3 Assessment.Involve Security Champions in security tasks, such as threat modeling, taking the lead on security testing, etc.Create a mentor program where Security Champions coach less secure mature developers.
How Much Certification is Required?
While it’s tempting to want all developers at a 'Level 3' certification, in reality, it may not suit everyone’s work style, company size, or rate of hire. Higher certification levels can often lean toward taking on more people-oriented roles whereas some developers are more passionate about building and coding.
The nice thing about a certification program is that it gives developers the option to choose how and when to build their skills and seek out individual growth opportunities.
Most of your developers will be 'Level 1' or 'Level 2' and this is totally fine; having a mix of different levels amongst your teams helps promote skill diversity. Their secure coding skills and awareness at these levels are excellent and will continue to increase by upskilling in the Secure Code Warrior platform through Tournaments and other events that are run alongside the certification program.
The goal with a certification program is not only to have highly decorated developers, but for the developers to have a hand in creating a positive skill-building culture they want to be a part of.
Comments
0 comments
Please sign in to leave a comment.